[kernel-sec-discuss] r5444 - active

Ben Hutchings benh at moszumanska.debian.org
Tue Aug 1 00:55:16 UTC 2017 

Author: benh
Date: 2017-08-01 00:55:16 +0000 (Tue, 01 Aug 2017)
New Revision: 5444

Modified:
   active/CVE-2017-11472
   active/CVE-2017-11473
   active/CVE-2017-11600
   active/CVE-2017-7541
   active/CVE-2017-7542
   active/CVE-2017-9986
Log:
Fill in status of most issues

Modified: active/CVE-2017-11472
===================================================================
--- active/CVE-2017-11472	2017-07-28 08:16:19 UTC (rev 5443)
+++ active/CVE-2017-11472	2017-08-01 00:55:16 UTC (rev 5444)
@@ -1,12 +1,16 @@
 Description: ACPICA: Namespace: fix operand cache leak
 References:
 Notes:
+ bwh> This is not a valid issue as ACPI tables are trusted.  The issue of
+ bwh> kASLR being broken through stack traces is mitigated by commit
+ bwh> bb5e5ce545f2 "x86/dumpstack: Remove kernel text addresses from stack
+ bwh> dump".) and by the dmesg_restrict feature.
 Bugs:
 upstream: released (4.12-rc1) [3b2d69114fefa474fca542e51119036dceb4aa6f]
-4.9-upstream-stable:
-3.16-upstream-stable:
-3.2-upstream-stable:
-sid:
-4.9-stretch-security:
-3.16-jessie-security:
-3.2-wheezy-security:
+4.9-upstream-stable: ignored
+3.16-upstream-stable: ignored
+3.2-upstream-stable: ignored
+sid: ignored
+4.9-stretch-security: ignored
+3.16-jessie-security: ignored
+3.2-wheezy-security: ignored

Modified: active/CVE-2017-11473
===================================================================
--- active/CVE-2017-11473	2017-07-28 08:16:19 UTC (rev 5443)
+++ active/CVE-2017-11473	2017-08-01 00:55:16 UTC (rev 5444)
@@ -2,12 +2,13 @@
 References:
  https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/commit/?id=70ac67826602edf8c0ccb413e5ba7eacf597a60c
 Notes:
+ bwh> This is not a valid issue as ACPI tables are trusted.
 Bugs:
 upstream: released (4.13-rc2) [dad5ab0db8deac535d03e3fe3d8f2892173fa6a4]
 4.9-upstream-stable: released (4.9.40) [036d59f40ac94964a1bbc8959f78f34efac71fd5]
-3.16-upstream-stable:
-3.2-upstream-stable:
-sid:
-4.9-stretch-security:
-3.16-jessie-security:
-3.2-wheezy-security:
+3.16-upstream-stable: ignored
+3.2-upstream-stable: ignored
+sid: ignored
+4.9-stretch-security: ignored 
+3.16-jessie-security: ignored
+3.2-wheezy-security: ignored

Modified: active/CVE-2017-11600
===================================================================
--- active/CVE-2017-11600	2017-07-28 08:16:19 UTC (rev 5443)
+++ active/CVE-2017-11600	2017-08-01 00:55:16 UTC (rev 5444)
@@ -2,12 +2,14 @@
 References:
  http://seclists.org/bugtraq/2017/Jul/30
 Notes:
+ bwh> Introduced by commit 5c79de6e79cd "[XFRM]: User interface for handling
+ bwh> XFRM_MSG_MIGRATE" in 2.6.21.
 Bugs:
-upstream:
-4.9-upstream-stable:
-3.16-upstream-stable:
-3.2-upstream-stable:
-sid:
-4.9-stretch-security:
-3.16-jessie-security:
-3.2-wheezy-security:
+upstream: needed
+4.9-upstream-stable: needed
+3.16-upstream-stable: needed
+3.2-upstream-stable: needed
+sid: needed
+4.9-stretch-security: needed
+3.16-jessie-security: needed
+3.2-wheezy-security: needed

Modified: active/CVE-2017-7541
===================================================================
--- active/CVE-2017-7541	2017-07-28 08:16:19 UTC (rev 5443)
+++ active/CVE-2017-7541	2017-08-01 00:55:16 UTC (rev 5444)
@@ -1,12 +1,14 @@
 Description: brcmfmac: fix possible buffer overflow in brcmf_cfg80211_mgmt_tx()
 References:
 Notes:
+ bwh> Introduced by commit 18e2f61db3b70 ("brcmfmac: P2P action frame tx.")
+ bwh> in 3.9.
 Bugs:
 upstream: released (4.13-rc1) [8f44c9a41386729fea410e688959ddaa9d51be7c]
 4.9-upstream-stable: released (4.9.39) [414848bba6ab91fe12ca8105b4652c4aa6f4b574]
-3.16-upstream-stable:
-3.2-upstream-stable:
+3.16-upstream-stable: pending
+3.2-upstream-stable: N/A "Vulnerable code not present"
 sid: pending (4.12.3-1)
 4.9-stretch-security: pending (4.9.30-2+deb9u3) [bugfix/all/brcmfmac-fix-possible-buffer-overflow-in-brcmf_cfg80.patch]
 3.16-jessie-security: pending (3.16.43-2+deb8u3) [bugfix/all/brcmfmac-fix-possible-buffer-overflow-in-brcmf_cfg80.patch]
-3.2-wheezy-security:
+3.2-wheezy-security: N/A "Vulnerable code not present"

Modified: active/CVE-2017-7542
===================================================================
--- active/CVE-2017-7542	2017-07-28 08:16:19 UTC (rev 5443)
+++ active/CVE-2017-7542	2017-08-01 00:55:16 UTC (rev 5444)
@@ -3,10 +3,10 @@
 Notes:
 Bugs:
 upstream: released (4.13-rc2) [6399f1fae4ec29fab5ec76070435555e256ca3a6]
-4.9-upstream-stable:
-3.16-upstream-stable:
-3.2-upstream-stable:
-sid:
+4.9-upstream-stable: needed
+3.16-upstream-stable: needed
+3.2-upstream-stable: needed
+sid: needed
 4.9-stretch-security: pending (4.9.30-2+deb9u3) [bugfix/all/ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch]
 3.16-jessie-security: pending (3.16.43-2+deb8u3) [bugfix/all/ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch]
-3.2-wheezy-security:
+3.2-wheezy-security: needed

Modified: active/CVE-2017-9986
===================================================================
--- active/CVE-2017-9986	2017-07-28 08:16:19 UTC (rev 5443)
+++ active/CVE-2017-9986	2017-08-01 00:55:16 UTC (rev 5444)
@@ -5,7 +5,7 @@
  bwh> Also, Debian doesn't build the OSS drivers.
 Bugs:
  https://bugzilla.kernel.org/show_bug.cgi?id=196135
-upstream:
+upstream: needed
 4.9-upstream-stable: ignored "Minor issue"
 3.16-upstream-stable: ignored "Minor issue"
 3.2-upstream-stable: ignored "Minor issue"

More information about the kernel-sec-discuss mailing list